General

  • Target

    028f6fb69753071f074bbcba7768497e_JaffaCakes118

  • Size

    2.6MB

  • Sample

    240427-ghkvbacd86

  • MD5

    028f6fb69753071f074bbcba7768497e

  • SHA1

    0519a7d00d7e540b02c17ad2155462c85b555d54

  • SHA256

    f0eb408cd44334d5bc53f99b453357f55d69219d54f67ddc719229c4b7d10db0

  • SHA512

    6ba2cd69fe3ad9722a501a4b20f006d834f93970d4d93a3796ae9fa4c15a0fc2cccf630b0ed90cfc41303fd23c5e0f1cdbcf128050c22a0fe0b29d0b6e8c8973

  • SSDEEP

    49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrln:86SIROiFJiwp0xlrln

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Targets

    • Target

      028f6fb69753071f074bbcba7768497e_JaffaCakes118

    • Size

      2.6MB

    • MD5

      028f6fb69753071f074bbcba7768497e

    • SHA1

      0519a7d00d7e540b02c17ad2155462c85b555d54

    • SHA256

      f0eb408cd44334d5bc53f99b453357f55d69219d54f67ddc719229c4b7d10db0

    • SHA512

      6ba2cd69fe3ad9722a501a4b20f006d834f93970d4d93a3796ae9fa4c15a0fc2cccf630b0ed90cfc41303fd23c5e0f1cdbcf128050c22a0fe0b29d0b6e8c8973

    • SSDEEP

      49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrln:86SIROiFJiwp0xlrln

    • Modifies WinLogon for persistence

    • Modifies visiblity of hidden/system files in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Modifies Installed Components in the registry

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks